From 91bbc1101f236925d21017f808f887f6672261b9 Mon Sep 17 00:00:00 2001
From: Marshall Hallenbeck <marshall.hallenbeck@gmail.com>
Date: Fri, 24 Mar 2023 16:33:59 -0400
Subject: [PATCH] fix(ntlmv1): fix error handling when remote registry cannot
 be accessed or registry entry doesnt exist

---
 cme/modules/ntlmv1.py | 64 +++++++++++++++++++++++--------------------
 1 file changed, 35 insertions(+), 29 deletions(-)

diff --git a/cme/modules/ntlmv1.py b/cme/modules/ntlmv1.py
index a9194ee4..a27a0441 100644
--- a/cme/modules/ntlmv1.py
+++ b/cme/modules/ntlmv1.py
@@ -1,48 +1,54 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
+import logging
 
 from impacket.dcerpc.v5 import rrp
 from impacket.examples.secretsdump import RemoteOperations
 from impacket.dcerpc.v5.rrp import DCERPCSessionError
 
+
 class CMEModule:
-    '''
-    Detect if the targets's LmCompatibilityLevel will allow NTLMv1 authentication
+    """
+    Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
     Module by @Tw1sm
-    '''
-    name = 'ntlmv1'
-    description = 'Detect if lmcompatibilitylevel on the target is set to 0 or 1'
-    supported_protocols = ['smb']
-    opsec_safe= True
+    """
+    name = "ntlmv1"
+    description = "Detect if lmcompatibilitylevel on the target is set to 0 or 1"
+    supported_protocols = ["smb"]
+    opsec_safe = True
     multiple_hosts = True
 
     def options(self, context, module_options):
-        self.output = 'NTLMv1 allowed on: {} - LmCompatibilityLevel = {}'
+        self.output = "NTLMv1 allowed on: {} - LmCompatibilityLevel = {}"
 
     def on_admin_login(self, context, connection):
         try:
-            remoteOps = RemoteOperations(connection.conn, False)
-            remoteOps.enableRegistry()
+            remote_ops = RemoteOperations(connection.conn, False)
+            remote_ops.enableRegistry()
 
-            if remoteOps._RemoteOperations__rrp:
-                ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
-                regHandle = ans['phKey']
+            if remote_ops._RemoteOperations__rrp:
+                ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
+                reg_handle = ans["phKey"]
+                ans = rrp.hBaseRegOpenKey(
+                    remote_ops._RemoteOperations__rrp,
+                    reg_handle,
+                    "SYSTEM\\CurrentControlSet\\Control\\Lsa"
+                )
+                key_handle = ans['phkResult']
+                rtype = None
+                data = None
+                try:
+                    rtype, data = rrp.hBaseRegQueryValue(
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle,
+                        "lmcompatibilitylevel\x00"
+                    )
+                except rrp.DCERPCSessionError as e:
+                    logging.debug(f"Unable to reference lmcompatabilitylevel, which probably means ntlmv1 is not set")
 
-                ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa')
-                keyHandle = ans['phkResult']
-
-                rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'lmcompatibilitylevel\x00')
-
-                if int(data) in [0, 1, 2]:
+                if rtype and data and int(data) in [0, 1, 2]:
                     context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))
-
-            try:
-                remoteOps.finish()
-            except:
-                pass
-
         except DCERPCSessionError as e:
-            try:
-                remoteOps.finish()
-            except:
-                pass
\ No newline at end of file
+            logging.debug(f"Error connecting to RemoteRegistry: {e}")
+        finally:
+            remote_ops.finish()